Back to listing

Teaching Tech-Fu - Students and the Digital 'Dark-Arts'

"The Dark Arts are many, varied, ever-changing and eternal. Fighting them is like fighting a many-headed monster, which, each time a neck is severed, sprouts a head even fiercer and cleverer than before. You are fighting that which is unfixed, mutating, indestructible. Your defences must therefore be as flexible and inventive as the Arts you seek to undo." 
-                    Professor Severus Snape            
Harry Potter and the Half-Blood Prince

For some reason, there is a tendency today towards hiding knowledge away from students that is deemed ‘unsuitable’ for them to know, something which seems to fly in the face of the very concepts underpinning education – transparency, honesty and curiosity. One of the most dangerous areas where this is occurring, especially given the current climate of furthering technology education in schools globally, is that of understanding information security protocols and how to protect oneself from the nefarious ‘hackers’ that are apparently around every corner.

Even here in the UK, where we have one of the best (if not the best) technology and computer science curricula to date, there is a huge amount of confusion as to what students should be taught regarding the so called ‘Dark Arts’ of the world’s information security researchers (pejoratively and incorrectly referred to as ‘hackers’ in the sensationalist media - a topic I have discussed on this blog previously, and one close to my heart.)

According to the Home Office in their Prevent Guide, having “specialist knowledge and skills in IT and communications” could be a gateway to potential law-breaking. The guide, intended to help police and local authorities spot ‘at-risk’ individuals, states that those who have undertaken formal IT training, or even those who have taught themselves, could have skills to “commit serious offences.” It goes on to suggest that some of these ‘dangerous’ skills include “hacking video games” or “sharing online”. The document goes further by saying “Early behaviours could include modifications to games or software and sharing online. Recent evidence suggests that the number of frauds committed by young adults are increasing.”

While that does indeed sound ominous and seems to be verified by the media every week with their new horror tales of hacks, scams, viruses, thefts, flim-flams, hijinks, lulz and chicanery online – it might be interesting to turn to the UK Department of Education to see what they mandate as important for kids to learn during their study of Computer Science:
 “A high-quality computing education equips pupils to use computational thinking and creativity to understand and change the world…“Building on this knowledge and understanding, pupils are equipped to use information technology to create programs, systems and a range of content.“Computing also ensures that pupils become digitally literate – able to use, and express themselves and develop their ideas through, information and communication technology – at a level suitable for the future workplace and as active participants in a digital world.”
Active Participants? Apparently not too active though, or you’re a potential criminal who needs to be watched.

While the curriculum aims to teach students how to “use technology safely, respectfully, responsibly and securely”, but only addresses online social issues such as avoiding online predators or dealing with online bullying. It doesn’t deal with the rights and wrongs of online life – the ethics of being a solid digital citizen, let alone why it’s probably not a good idea to infiltrate government and military networks as did British hackers Gary McKinnonLauri Love or Jake Davis.

This discrepancy between what a competent digital citizen should know and what some authorities feel is arcane or forbidden knowledge is causing confusion and creating a space where those children and students who are curious and interested in the capabilities of digital security systems are being left to their own devices and allowed to educate themselves in using this ‘digital voodoo’ with no oversight or guidance that might give them a better sense of the consequences of their online actions and help them avoid breaking the law in their quest for knowledge. Left to their own devices, it isn’t difficult to imagine what sort of imaginative – and destructive – uses a disaffected 17-year-old will find for their new talents.

We are effectively leaving it up to  Google and online communities like 4Chan and reddit to educate these kids in their quest for ‘binary badassery’ – not a great idea when you consider who these anonymous de-facto mentors might be behind the keyboard. Since the advent of social media, the internet has become the new public space – according to OfCom in their annual ‘MediaUse and Attitudes Report’ last year, people aged 16-24 spent an average of 27 hours 36 minutes online each week – nearly as long as a work week! Students themselves need to realise that they have a responsibility to other users in this new and pervasive public sphere.
There isn’t a need to tell students in a woodworking class not to hit each other over the head with hammers – they are very aware of the consequences of that action. But online, there is less tangible effect from your probing and investigating and indeed, many people being arrested for committing online security crimes are as young as 16! It seems reckless to allow children access to the most powerful tool that exists in the world today without giving them a primer on the capabilities, risks and ethics of using it. We don’t allow kids to learn about sexual health and interaction by asking google…can you imagine what the prevailing wisdom would be if we did?! Why is it any different for their digital interactions?
Recently, the VPN provider HideMyAss ran an experimentwhere they provided a 7 year old girl named Betsy Davies the instructions on how to run a ‘Man in the Middle’ attack on a public WiFi access point. In short, a MITM attack means that this little girl had set her computer as the access point for all the users on the network and was accepting and passing on ALL the data from anyone connected to her ‘rogue access point’. This hack took Betsy less than ten minutes, and the instructions to accomplish this feat are readily available from a quick google search.
Founder and CEO of, Hadi Partovi said recently; “Anytime you teach anything, ethics should be part of it…The same is true about driving. Or writing. It just happens that computer programming is like a superpower, so the incidence of people doing bad things with it are more noticeable. However, in a world where healthcare, commerce, transportation, communication and entertainment are all run by computers, this is a foundational field to which every single student should have basic exposure.”
“We don’t teach biology or chemistry to kids because they’re going to become surgeons or chemists,” Partovi said in a separate interview last month with Re/Code. “We teach them about photosynthesis and that water is H2O, or how lightbulbs work, just to understand the world around us. You don’t use any of it, but you do on a day-to-day basis use public-key encryption, and the average American has absolutely no idea what that is.”

So how can we confront this enormous issue? When it comes to kids and teenagers, the first and most obvious place to start is at school and at home. Responsible adults, teachers and parents have always had a duty to ensure that their young wards are not engaging in criminal activity, and this should be no different in the digital realm.
However, the problem we encounter time and again is the enormous disparity between adults and children when it comes to understanding the workings and uses of modern technology. In August last year an Ofcom survey found that younger people have a way more advanced understanding of technology than adults: apparently most 6 year olds have the same level of knowledge as the average 45 year old. If teachers and parents are to monitor and guide young people's use of technology and make sure they're not becoming involved in cyber-crime, they must first be able to understand the technology themselves.
In fact, Ofcom tells us that the most digitally confident people in the UK are teenagers aged between 14-19 years old. Using devices such as smartphones and tablets already seems like second nature for these digital natives, when it can take days for some adults to grasp even the concept of a touch screen!

So, what are we doing about this state of affairs in the UK? Not enough, it seems. The Department for Education gave Computing At Schools £3 million over two years to help schools prepare, but they are still waiting to hear if it will have any funding after March. And when you think about it, that £3m only amounts to around £150 per school - even less per teacher. Not close to enough to send them on a training or development day to simply improve their general digital knowledge. We need more hands-on training and upskilling for our educators if we can even hope to improve the prospects of students who are interested in infosec away from cybercrime. Let’s face it; if you don’t understand the application of the knowledge you are dispensing, if you haven’t had the experience of using it in context…how can you consider yourself an authority on the subject? Why should anyone else? In the immortal words of Bruce Lee: If you want to learn to swim, jump into the water. On dry land, no frame of mind is ever going to help you.

Teachers need to understand the ideas they are teaching, as well as the extent of their application in the real world in order to be respected by their students, to have a good grasp on the information they are putting into the world and most of all, to appreciate it’s practical use and ethical complications. At this point, we are attempting to closet away the things we don’t understand fully in order to avoid students from falling into the trap of becoming digital miscreants; the exact opposite of what we should be doing. People always fear what they don’t understand, and by not discussing the ideas around information security we are increasing the power of those in the inner-circle, those who would use the knowledge for their own destructive ends. We need to be more open and honest about the ‘Dark Arts’ – just like Hogwarts is, just as thousands of martial arts teachers have been for centuries: teaching someone Kung Fu always comes at the risk of them abusing their power and attacking or hurting others. But if all of us know a little Kung Fu (you don’t have to be a black-belt!) then none of us is as able to be victimised by those willing to abuse their knowledge for their own gain. All of us will be a little safer, knowing that even if we can’t save ourselves, there are others around us who are trained and knowledgeable, who can come to our aid when we need it.
Coders, hackers, programmers, data travellers, web-warriors and most of all, technology companies should be taking up the mantle of improving the general level of security on the internet by educating its denizens on the risks of ignorance. Governments should be relinquishing some of their power over the internet, in order to cultivate more empowered, knowledgeable, altruistic and social citizens. Teachers should be screaming loudly about the lack of resources, training and knowledge of the new curriculum in their industry. It shouldn’t be left to Spiderman to impart the wisdom of ages to the new crop of digital natives… “With great power, comes great responsibility.”